FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How can I debug the issue that my FW signature verification fails ?

Go to solution
BEnge.1
Associate III

‎2022-01-31 08:41 AM

Hello,

I am using the SBSFU with the KMS on my STM32L486RG. I activated the verbose debug in the config file and this is the output that i am getting when flashing the binary file combining the boot-loader and my user application at the same time :

0693W00000JNzxfQAD.png 

As you can see the boot-loader fails to verify the the authenticity of the Firmware. How can I debug this problem?

If I debug the SBSFU.elf alone from the STM32CubeIDE, the secure boot tells me that there is no firmware in the active slot (obviously) so does not verify it...

I am using ECCDSA for the firmware authenticity verification and using this same boot-loader configuration in a another project without any problem.

Thanks in advance for the help,

Benjamin

1 ACCEPTED SOLUTION

Accepted Solutions
Go to solution
BEnge.1
Associate III

‎2022-02-01 02:37 AM

Thank you for the help everyone.

The issue was that because I use the KMS, the ECC public key is inserted in the kms_platf_objects_config.h file during prebuild.sh but for some reason even though i changed the private key in 2_Images\2_Images_SECoreBin\Binary. The public key was not updated during build.

So what I did is :

  • update the kms_platf_objects_config.h file like that :0693W00000JO5QDQA1.png
  • Clean the Secure Engine, SBSFU and my Application project
  • Rebuild the 3 projects and as the @ECDSA_SBSFU_KEY_1@ was present in the file, it was replaced by the correct public key when running the prebuild.sh during the build of the Secure Engine project

View solution in original post

0 Kudos
5 REPLIES 5
Go to solution
BEnge.1
Associate III

‎2022-01-31 09:11 AM

Hey all,

I noticed that the problem is linked to me changing the ECC DSA private key. I generated a key using 

python3 prepareimage.py  keygen  -k ECCKEY1.txt -t ecdsa-p256

and placed ECCKEY1.txt in 2_Images_SECoreBin/Binary. If i change this key by the one provided in the example projects. The signature is verified correctly. Am i missing something ?

0 Kudos
Go to solution
Tesla DeLorean
Guru
In response to BEnge.1

‎2022-01-31 03:09 PM

Validation presumably occurs with the PUBLIC KEY, if you change the private one, signing the image with it, expect to change the public one the authentication is using.

Tips, Buy me a coffee, or three.. PayPal Venmo
Up vote any posts that you find helpful, it shows what's working..
0 Kudos
Go to solution
Fred
ST Employee

‎2022-01-31 11:48 PM

Hi,

when you use prepareimage with keygen command you generate a new private ECC key.

This private key gets stored in ECCKEY1.txt.

This key will never go into your device, it remains on your HOST PC side to sign the bundle.

On device side, we need to embed the corresponding ECC public key.

This is done by the tooling (prebuild stage) when recompiling the SECoreBin project.

So what you need to do is:

  1. Generate the new ECC private key just like what you did and obtain ECCKEY1.txt
  2. Copy ECCKEY1.txt in Applications\2_Images\2_Images_SECoreBin\Binary
  3. Now, you need to FORCE the SECoreBin build

The problem is that the IDE will not detect that there is a dependency with ECCKEY1.txt, so you need to clean your project and rebuild it to make sure the prebuild stage is done again.

During this prebuild stage:

  • the ECC public key will be derived from the private key you provided in the text file
  • this key will be added in a .s file

So, to make sure it goes well you can make a diff on this file (if you work with STM32CubeIDE):

Applications\2_Images\2_Images_SECoreBin\STM32CubeIDE\se_key.s

The content of se_key.s must have been updated with the new public key (SE_ReadKey_Pub).

This .s file gets compiled in your SECoreBin and will be used to verify the signature of your bundle.

You also need to regenerate SBSFU to integrate the updated SECoreBin binary.

At this point, your public and private keys should match and the verification should succeed.

Of course, do not forget to regenerate your bundle with your new private key on PC side (UserApp compilation and postbuild stage to sign it).

Thanks & Regards,

Fred

P.S.: what I write is without KMS, but the same principle should apply except that the public key will be injected in KMS embedded keys instead of going into a .s file. So probably you won't be able to make the diff easily.

0 Kudos
Go to solution
Fred
ST Employee

‎2022-02-01 02:09 AM

Additional info can be found here: Integration guide for the X-CUBE-SBSFU STM32Cube Expansion Package - Application note

See section 5, especially 5.4

0 Kudos
Go to solution
BEnge.1
Associate III

‎2022-02-01 02:37 AM

Thank you for the help everyone.

The issue was that because I use the KMS, the ECC public key is inserted in the kms_platf_objects_config.h file during prebuild.sh but for some reason even though i changed the private key in 2_Images\2_Images_SECoreBin\Binary. The public key was not updated during build.

So what I did is :

  • update the kms_platf_objects_config.h file like that :0693W00000JO5QDQA1.png
  • Clean the Secure Engine, SBSFU and my Application project
  • Rebuild the 3 projects and as the @ECDSA_SBSFU_KEY_1@ was present in the file, it was replaced by the correct public key when running the prebuild.sh during the build of the Secure Engine project
0 Kudos
Top